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- The MAILING DATE of this communication appears on the cover sheet with the correspondence address — 
Period for Reply 



A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) OR THIRTY (30) DAYS, 
WHICHEVER IS LONGER, FROM THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 .136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 133). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1 .704(b). 

Status 

1 )KI Responsive to communication(s) filed on 3/26/09 . 
2a )^ This action is FINAL. 2b)D This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 11, 453 O.G. 213. 

Disposition of Claims 

4) ^ Claim(s) 1-8.13-15 and 17-24 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) |EI Claim(s) 1-8,13-15 and 17-24 is/are rejected. 

7) 0 Claim(s) is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) Q The specification is objected to by the Examiner. 

10) D The drawing(s) filed on is/are: a)D accepted or b)D objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1.85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 

1 1) D The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 

12) D Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 119(a)-(d) or (f). 
a)D All b)D Some * c)D None of: 

1 .□ Certified copies of the priority documents have been received. 

20 Certified copies of the priority documents have been received in Application No. . 

3.Q Copies of the certified copies of the priority documents have been received in this National Stage 
application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 
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2) □ Notice of Draftsperson's Patent Drawing Review (PTO-948) Paper No(s)/Mail Date. . 

3) □ Information Disclosure Statement(s) (PTO/SB/08) 5 ) □ Notice of Informal Patent Application 

Paper No(s)/Mail Date . 6) □ Other: . 
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DETAILED ACTION 

Response to Amendment 

The Affidavit filed on 3/26/09 under 37 CFR 1.131 has been considered but is ineffective 
to overcome the Blake reference. 

The evidence submitted is insufficient to establish diligence from a date prior to the date 
of reduction to practice of the Blake reference to either a constructive reduction to practice or an 
actual reduction to practice. 

Statements that the subject matter "was diligently reduced to practice" is not a showing 
but a mere pleading. MPEP 2138.06 

A 2-day period lacking activity has been held to be fatal. Preparation of routine periodic reports 
covering all accomplishments of the laboratory insufficient to show diligence. The work relied 
upon to show reasonable diligence must be directly related to the reduction to practice of the 
invention in issue. The work relied upon must be directed to attaining a reduction to practice of 
the subject matter of the counts. It is not sufficient that the activity relied on concerns related 
subject matter. MPEP 2138.06 

Applicant has submitted a declaration asserting diligence, but many of the statements are 
ambiguous such as "meetings" and "emails discussing development". These statements are 
insufficient to establish due diligence. Apart from said declaration the only evidence of 
conception, diligence and reduction to practice, are 1 specification dated 1 1/2002 showing 
conception, and 1 power point presentation asserting production, and thus actual reduction to 
practice. 
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Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

Claims 1-4, 7, 15, 18-20, 23, 24 is rejected under 35 U.S.C. 103(a) as being unpatentable 
over Blake US 2004/0128543 in view of Becker US 2004/0139128. 

As per claim 1, 23, Blake teaches deploying a honey pot (Fig 4, system for morphing a 
honeypot on a dynamic and configurable basis, administrator configures honeypot 
[001 1], [0036]. Blake teaches detecting a breach of the honey pot (suspicious requests, 
acts to compromise honeypot, client system probing for vulnerability, attacks) [0038], 
[0070], [0075], [0084]. Blake teaches capturing the state of the honeypot including 
creating a copy of the data associated with a compromised honeypot (activity logs) 
[0040]. Blake teaches automatically redeploying the honey pot [0037], [0076]. 

Becker teaches reinitializing to an initial state via an image [0151], [0163]. 
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It would have been obvious to one of ordinary skill in the art to use the image of Becker 
with the redeployment of Blake because it would restore the honeypot after a 
compromise. 

As per claim 2 Blake teaches analyzing the breach (analysis operations, analyzing 
requests) [0037], [0075]. 

As per claim 3 Blake teaches automatically analyzing the breach (automatic analysis), 
Figure 4, [0037], [0075]. 

As per claim 4 Blake teaches the breach is automatically detected (determination is made 
as to whether a probe has been detected) [0070], [0075]. 

As per claim 7, Blake teaches configuring the honey pot (configuration phase (step 402)) 
[0037]. 

As per claim 15 Blake teaches the detecting is based on an elapsed time (track suspicious 
client requests over time) [0070]. 

As per claim 18 Blake teaches saving state information associated with the honey pot 
(activity logs) [0040]. 

As per claim 19 Blake teaches saving state information associated with the honey pot and 
wherein saving and redeploying occur in parallel (all activity, actions taken by emulated 
services, or honeypot as whole, is logged) [0040]. 

As per claim 20, Blake teaches analyzing the breach and redeploying occur in parallel 
(analysis and reconfiguration operations performed at the same time) [0037]. 
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As per claim 24, Blake teaches deploying a honey pot (Fig 4, system for morphing a 
honeypot on a dynamic and configurable basis, administrator configures honeypot 
[001 1], [0036]. Blake teaches detecting a breach of the honey pot (suspicious requests, 
acts to compromise honeypot, client system probing for vulnerability) [0038], [0070], 
[0075]. Blake teaches automatically redeploying the honey pot (automatic 
reconfiguration operations, reconfigured to present information reflecting a different 
vulnerability) [0037], [0076]. Blake teaches the honeypot is implemented using a 
processor and memory coupled to the processor (CPU, disk units) [0026]. 

Claims 6 is rejected under 35 U.S.C. 103(a) as being unpatentable over Blake US 
2004/0128543 in view of Becker US 2004/0139128 in view of Fagone US 2004/0078592. 

As per claim 6 Blake does not teach shutting down the honey pot. 

Fagone teaches shutting down the honeypot (disconnecting from network) [0017]. 

It would have been obvious to one of ordinary skill in the art to use the shut down method 
of Fagone in case a honeypot becomes a danger to the network [0017]. 

Claim 8, is rejected under 35 U.S.C. 103(a) as being unpatentable over Blake US 
2004/0128543 in view of Becker US 2004/0139128 in view of Schlereth "Analysis of a 
Compromised Honeypot on a Cable Modem". 
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As per claim 8 Blake does not teach copying a honey pot image. 
Infocus teaches creating and copying a honeypot image (creating an image of a 
compromised system for investigation, Pages 21-24). 

It would have been obvious to one of ordinary skill in the art to use a honeypot image 
because it limits the chance of destroying evidence on the compromised system (page 
24). 



Claims 13, and 14 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Blake US 2004/0128543 in view Becker US 2004/0139128 in view of Lewis US 
2003/0110396. 



As per claim 13 Blake fails to teach detecting is based on the number of outgoing 
connections detected. Lewis teaches detecting is based on the number of outgoing 
connections detected (large number of IP requests) [0079]. 

It would have been obvious to one of ordinary skill in the art to use the detection of 
Lewis in the system of Blake to detect Denial of Service attack attempts. 
As per claim 14 Blake fails to teach detecting is based on the number of incoming 
connections detected. Lewis teaches detecting a breach based on the incoming 
connections detected (abnormally large connection attempts to target) [0062]. 
It would have been obvious to one of ordinary skill in the art to use the detection of 
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Lewis in the system of Blake to detect Denial of Service attack attempts. 

Claim 17, is rejected under 35 U.S.C. 103(a) as being unpatentable over Blake US 
2004/0128543 in view Becker US 2004/0139128 in view of INFOCUSrThe Honeynet 
Project 

As per claims 17 Blake does not specify an operating system. 

Infocus teaches the honey pot runs a Linux operating system(linux, page 3). It would 
have been obvious to one in the art to use the multiple OS of Infocus with the honeypot 
of Blake because it provides support to create a honeypot for a wide range of users. 

Claims 21, and 22, are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Blake US 2004/0128543 in view Becker US 2004/0139128 in view of Turk US 
2005/0108415 

As per claims 21, and 22, Blake does not teach mapping an IP address to a honeypot. 

Turk teaches receiving an incoming connection associated with an IP address( pinging a 
given IP address)[0071]. Turk teaches mapping the IP address to the honey pot (honeypot 
responds to unrouted IP address requests) [0071]. Turk teaches releasing the IP address 
mapping and mapping another IP address to the honey pot (honeypot accepts any IP 
address request that is not stored in the routing table, thus it will remap to a different IP if 
a different unrouted destination IP request arrives) [0071]. 
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It would have been obvious to one of ordinary skill in the art to use the IP mapping of 
Turk with the system of Blake because it tricks a malicious user into thinking they have 
successfully compromised their target destination IP. 

Conclusion 

THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the mailing 
date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to CHRISTOPHER J. BROWN whose telephone number is 
(571)272-3833. The examiner can normally be reached on 8:30-6:00. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kambiz Zand can be reached on (571)272-38 1 1 . The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/Christopher J Brown/ 7/10/09 
Primary Examiner, Art Unit 2439 



